DEV Community: akloya

Security Is a State Of Mind, Not an End State

akloya — Wed, 06 Jan 2021 17:27:34 +0000

The global threat landscape is evolving at an unprecedented rate. Cybercriminals are finding new and novel ways to exploit technology and human psychology to profit. Despite their best efforts, individuals and organizations are falling victim to breaches, ransomware, and all kinds of attacks almost every day.

Why is this happening? For two main reasons:

First, it’s becoming increasingly easier for cybercriminals to do their act. A decade ago, it was hard and time-consuming to come up with a malware, distribute it widely, and make a profit. Today, it’s quick and easy. One can use open source tools to come up with malware, rent a malware distribution framework and distribute it for cheap, and leverage bitcoin to anonymously collect money and make a quick buck. One can steal credit cards or identities and sell them anonymously using Amazon-like marketplaces on the dark web. One can devise a phone scam that intimidates people and gets them to log in to their bank account and wire money out, or even drive up to a Target and buy gift cards and mail them. All these are real examples happening today. Criminals are stealing billions of dollars from unsuspecting people every day.

Second, individuals and organizations have a fundamental disadvantage against cybercriminals. Most individuals are unsuspecting by nature. It’s easy to exploit their mind via social engineering and lure them or intimidate them to take action. Most organizations have annual security awareness training programs, but many employees find them boring and skim through them as quickly as possible and move on. More importantly, organizations rely on dedicated security teams to keep their employees and assets safe; who then rely on security tools to monitor threats and respond. But security tools can only go so far since they trade off false negatives to avoid false positives. Plus the bad guys have access to most tools and can test their attacks against them, but we don’t have access to threats so we’re fundamentally at a disadvantage from a technology standpoint.

How can we prevent this from happening?

We think the answer is to make security a “state of mind” and not treat it as an “end state.” Here at LeanTaaS, one of our core product engineering values is to “err on the side of security.” That means doing whatever is right to keep things safe, even if that causes inconvenience to someone, or if that breaks something at the moment. Which is why it’s “err on the side of.” It’s based on a core principle that the cost of an inconvenience or breakage is less than the potential cost of a breach. The act of trying to balance security and convenience can happen later, and may not be possible.

We try to imbibe this value day in and day out in everything we do and make it a core cultural tenet in the organization. Culture is how decisions get made when no one is looking. We hope to have everyone err on the side of security when no one is looking.

We think that’s critical to defend ourselves against today’s cybercrime. Security is not one team or one tool’s responsibility. We’re all vulnerable and we all need to stay vigilant and err on the side of safety all the time — for our own safety, for our organization’s safety.

GitHub Actions now includes our most-requested feature: built-in CI/CD and it’s free for open source

akloya — Thu, 08 Aug 2019 17:24:36 +0000

With GitHub Actions now it easy to automate all your software workflows, with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.

https://github.com/features/actions

AWS Service Quota (view and manage quotas for our aws services)

akloya — Fri, 28 Jun 2019 17:30:59 +0000

Wow, I was looking at my AWS console and saw Service Quotas. Just googled it and found that amazon has introduced a new service to view and manage quotas for aws services.

This sure is going to make life easy to know the service limits and increase quotas. Based on my first glance, This one does have more options than trusted advisor service limits.

https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-service-quotas-view-and-manage-quotas-for-aws-services-from-one-location/

List AWS Lambda functions not associated with VPC

akloya — Thu, 27 Jun 2019 23:57:15 +0000

AWS Lambdas has gained lot of popularity and most of the companies use them today.

For some of security requirements we might have a need where in you want to pull all lambdas that are not associated to VPC. script below can help you do that.

import boto3
from botocore.exceptions import ClientError

client = boto3.client('lambda')
response = client.list_functions()
for function in response['Functions']:
    try:
        response = client.get_function(
            FunctionName=function['FunctionName']
        )
        vpcid = response['Configuration']['VpcConfig']['VpcId']
    except KeyError:
        print("==>" + function['FunctionName'])
    except ClientError as e:
        print("[ERROR] Invoking Lambda Function" + e)

Enable AWS EBS encryption By default

akloya — Fri, 31 May 2019 05:07:19 +0000

Based on Jeff Barr Recent Blog AWS make it easier and simpler for you to protect your data from unauthorized access. I feel this should be enabled by anyone who use AWS.

If you prefer to do via AWS CLI then make sure you have updated to latest version of CLI [aws-cli/1.16.169 Python/2.7.10 Darwin/17.7.0 botocore/1.12.159 ]

aws ec2 enable-ebs-encryption-by-default

Note: You will have to run this command in all the regions you operate.

Below is the python script that can help you with enabling it using below for region you interested are

import boto3

# list the regions you are interested to run this script on
regions = ['us-east-1']

for region in regions:
    client = boto3.client('ec2', region)
    response = client.enable_ebs_encryption_by_default()
    print("Default EBS Encryption for region", region,": ",  response['EbsEncryptionByDefault'])

Note: Shared script will use the default ebs key. If you are interested in using different KMS key then use below

response = client.modify_ebs_default_kms_key_id(
    KmsKeyId='string'
)

AWS CloudWatch Log Group Retention

akloya — Fri, 31 May 2019 02:54:39 +0000

Amazon CloudWatch Logs is used as centralized place to monitor, store, and access all our log files from different AWS services

CloudWatch organises logs in a log group and when a new log group is created, it’s retention period is set to Never expire by default, which means logs will be retained forever.

Here is a sample python script that helps with changing the retention days to 60.

import boto3
# set the number of retention days 
retention_days = 60
# list the regions you are interested to run this script on
regions=['us-east-1']

for region in regions:
    client = boto3.client('logs',region)
    response = client.describe_log_groups(
    )
    nextToken=response.get('nextToken',None)
    retention = response['logGroups']
    while (nextToken is not None):
        response = client.describe_log_groups(
            nextToken=nextToken
        )
        nextToken = response.get('nextToken', None)
        retention = retention + response['logGroups']
    for group in retention:
        if 'retentionInDays' in group.keys():
            print(group['logGroupName'], group['retentionInDays'],region)
        else:
            print("Retention Not found for ",group['logGroupName'],region)
            setretention = client.put_retention_policy(
                logGroupName=group['logGroupName'],
                retentionInDays=retention_days
                )
            print(setretention)

Once this script is run problem is solved for existing log groups but it would be nice to automate it using cloud watch events to run a python code using lambda in that way all the log groups created going forward will have retention value set.